South Carolina's governor faulted an outdated IRS standard as a contributing factor to a massive data breach that exposed Social Security numbers of 3.8 million taxpayers plus credit card and bank account data. Gov. Nikki Haley's remarks on Tuesday came after a report into the breach revealed that 74.7 GB was stolen from computers belonging to South Carolina's Department of Revenue after an employee fell victim to a phishing email. People who filed tax returns electronically from 1998 on were affected, although most of the data appears to be after 2002, Haley said during a news conference.

South Carolina is compliant with IRS rules, but the IRS does not require SSNs to be encrypted, she said. The state will now encrypt SSNs and is in the process of revamping its tax systems with stronger security controls. She said she has sent a letter to IRS to encourage the agency to update its standards to mandate encryption of SSNs.

The lack of encryption and strong user access controls plus dated 1970s-era equipment made DOR systems ripe for an attack, she said. ... The report, written by the security company Mandiant, found that an employee's computer became infected with malware after the user opened a phishing email. The hacker captured the person's username and password, which allowed access to the agency's Citrix remote access service. ...

The data included SSNs for 3.8 million tax filers and information on 1.9 million dependants, Haley said. Information belonging to 699,900 businesses was compromised, along with 3.3 million bank accounts and 5,000 credit card numbers, she said.

South Carolina has identified all of the victims, who will be notified by letter. The state is also working with Experian, which is monitoring credit information for victims.

As a result of the breach, DOR Director Jim Etter will resign effective Dec. 31. He will be replaced by Bill Blume, who is currently executive director of South Carolina's Public Employee Benefit Authority, Haley said.

A $25,000 dual password system likely would have prevented hackers from stealing state tax data belonging to 6.4 million consumers and businesses from the S.C. Department of Revenue, a special state Senate subcommittee investigating the data breach was told Wednesday.

“I almost fell out of my chair,” Sen. Kevin Bryant, R-Anderson, co-chairman of the cyber-security breach subcommittee, said after the hearing. “For $25,000, we wouldn’t be here.”

A computer security firm hired by the state told senators that hackers would have been thwarted by requiring Revenue Department employees to log-in twice – once with a password that changes every minute.

Dual passwords are required by the Internal Revenue Service for agencies, such as state tax departments, that access federal tax records remotely, but the S.C. Revenue Department did not install the system until after the breach. The password system is costing $25,000, agency director James Etter told senators.

Comments

I really think that, if the "Right to Privacy" really meant anything in America, the result would be a wholesale hatred of the Income Tax. What can be more invasive of privacy, than sending to the government everything about you--including number of children, how much you make, how much interest you pay on your mortgage, and so forth?

Posted by: Alpheus | Nov 30, 2012 7:51:06 AM

The IRS didn't mandate encryption, but it also didn't prohibit it. And when South Carolina didn't use encryption, it's the IRS's fault. So, what Nikki Haley wants is for the federal government to tell her how to run her state.

Damn, Nikki Haley is stupid.

Posted by: Anonymous | Nov 30, 2012 10:15:45 AM

1. So, Alpheus, what's your point? Taxpayers should just send in whatever they are moved to contribute to the common welfare?

2. As for "Governor" Haley, the SC DoR messed up on her watch and she blames the IRS for not requiring states to encrypt SSNs. Wow. I guess the IRS must have a rule prohibiting "the laboratories of innovation" from using excessive security measures. In New York, they call that chutzpah.

3. At the same time, Her Honor's own contractor-investigator concluded that SC could have averted the hack by spending $25k on a double password system. Sounds like this particular laboratory of innovation was penny-wise and pound-foolish.

Posted by: Publius Novus | Nov 30, 2012 10:46:08 AM

Alpheus, how about the census and wanting to know how many toilets you have?

The IRS is at fault because it did not make us (SC) encrypt SSNs on state tax returns? Really? Is the SC State Police at fault when homes and cars get robbed because it didn't tell the idiots who left their stuff unlocked to lock it for safety and because the SC State Police were not protecting everyone's unlocked stuff?

C'mon, if you are going to pass the buck and lay the blame, why not just go straight the source and say it is FDR's fault for inventing Social Security -- because if there was none there would be no Social Security numbers to steal.

And surely it is not the fault of the State employee who apparently SC did not train well enough to not fall for a phishing scam (or did SC have outdated technology policies that allowed this employee to be phished?).

Posted by: tax guy | Nov 30, 2012 12:39:08 PM

What did she actually say? If she's giving a speech saying this is what happened, the state was following the guidelines but clearly those are not adequate so we are going to, from now on, exceed the IRS requirements for securing data... Yes, I suppose that could come across as blaming the IRS for having inadequate guidelines, because clearly the IRS has inadequate guidelines. She's also replacing the person who really ought to have been considering the operations, so that someone should have realized that there were vulnerabilities.

In the end how much it sounds like finger pointing and blame deflection depends on what *precisely* she said, and even such things as her tone of voice when she said it. The PC World article quotation doesn't actually say anything other than that she identified the outdated standard as a contributing factor... that's far from "all their fault"... and the quoted part of The State article doesn't mention finger pointing at all.

Is it totally stupid to depend on IRS guildlines or make an excuse that they were inadequate? Of course. But I don't see how she could have avoided mentioning it. And there is a whole lot of range on the blame-continuum between the two. What did she *say*?